1 files changed, 23 insertions, 11 deletions
diff --git a/doc/user/application_security/api_fuzzing/index.md b/doc/user/application_security/api_fuzzing/index.md
index cbe20ecde30..96236f60417 100644
--- a/doc/user/application_security/api_fuzzing/index.md
+++ b/doc/user/application_security/api_fuzzing/index.md
@@ -407,6 +407,11 @@ The API fuzzing behavior can be changed through CI/CD variables.
 From GitLab 13.12 and later, the default API fuzzing configuration file is `.gitlab/gitlab-api-fuzzing-config.yml`. In GitLab 14.0 and later, API fuzzing configuration files must be in your repository's
 `.gitlab` directory instead of your repository's root.
 
+WARNING:
+All customization of GitLab security scanning tools should be tested in a merge request before
+merging these changes to the default branch. Failure to do so can give unexpected results,
+including a large number of false positives.
+
 ### Authentication
 
 Authentication is handled by providing the authentication token as a header or cookie. You can
@@ -854,6 +859,9 @@ Optionally:
 
 - `FUZZAPI_PRE_SCRIPT`: Script to install runtimes or dependencies before the analyzer starts.
 
+WARNING:
+To execute scripts in Alpine Linux you must first use the command [`chmod`](https://www.gnu.org/software/coreutils/manual/html_node/chmod-invocation.html) to set the [execution permission](https://www.gnu.org/software/coreutils/manual/html_node/Setting-Permissions.html). For example, to set the execution permission of `script.py` for everyone, use the command: `chmod a+x script.py`. If needed, you can version your `script.py` with the execution permission already set.
+
 ```yaml
 stages:
      - fuzz
@@ -902,7 +910,9 @@ import requests
 import backoff
 
 # [1] Store log file in directory indicated by env var CI_PROJECT_DIR
-working_directory = os.environ['CI_PROJECT_DIR']
+working_directory = os.environ.get( 'CI_PROJECT_DIR')
+overrides_file_name = os.environ.get('FUZZAPI_OVERRIDES_FILE', 'api-fuzzing-overrides.json')
+overrides_file_path = os.path.join(working_directory, overrides_file_name)
 
 # [2] File name should match the pattern: gl-*.log
 log_file_path = os.path.join(working_directory, 'gl-user-overrides.log')
@@ -916,8 +926,11 @@ logging.basicConfig(filename=log_file_path, level=logging.DEBUG)
                        requests.exceptions.ConnectionError),
                        max_time=30)
 def get_auth_response():
-    return requests.get('https://authorization.service/api/get_api_token', auth=(os.environ['AUTH_USER'], os.environ['AUTH_PWD']))
-
+    authorization_url = 'https://authorization.service/api/get_api_token'
+    return requests.get(
+        f'{authorization_url}',
+        auth=(os.environ.get('AUTH_USER'), os.environ.get('AUTH_PWD'))
+    )
 
 # In our example, access token is retrieved from a given endpoint
 try:
@@ -939,14 +952,14 @@ try:
 # requests.ReadTimeout                      : The server did not send any data in the allotted amount of time.
 # requests.TooManyRedirects                 : The request exceeds the configured number of maximum redirections
 # requests.exceptions.RequestException      : All exceptions that related to Requests
+except json.JSONDecodeError as json_decode_error:
+    # logs errors related decoding JSON response
+    logging.error(f'Error, failed while decoding JSON response. Error message: {json_decode_error}')
+    raise
 except requests.exceptions.RequestException as requests_error:
     # logs  exceptions  related to `Requests`
     logging.error(f'Error, failed while performing HTTP request. Error message: {requests_error}')
     raise
-except requests.exceptions.JSONDecodeError as json_decode_error:
-    # logs errors related decoding JSON response
-    logging.error(f'Error, failed while decoding JSON response. Error message: {json_decode_error}')
-    raise
 except Exception as e:
     # logs any other error
     logging.error(f'Error, unknown error while retrieving access token. Error message: {e}')
@@ -961,8 +974,6 @@ overrides_data = {
 }
 
 # log entry informing about the file override computation
-overrides_file_path = os.path.join(
-    working_directory, "api-fuzzing-overrides.json")
 logging.info("Creating overrides file: %s" % overrides_file_path)
 
 # attempts to overwrite the file
@@ -975,7 +986,7 @@ try:
         fd.write(json.dumps(overrides_data).encode('utf-8'))
 except Exception as e:
     # logs any other error
-    logging.error(f'Error, unkown error when overwritng file {overrides_file_path}. Error message: {e}')
+    logging.error(f'Error, unknown error when overwriting file {overrides_file_path}. Error message: {e}')
     raise
 
 # logs informing override has finished successfully
@@ -998,6 +1009,7 @@ echo "**** install python dependencies ****"
 python3 -m ensurepip
 pip3 install --no-cache --upgrade \
     pip \
+    requests \
     backoff
 
 echo "**** python dependencies installed ****"
@@ -1028,7 +1040,7 @@ In the previous sample, you could use the script `user-pre-scan-set-up.sh` to al
 
 ### Exclude Paths
 
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/211892) in GitLab 14.0.
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/211892) in GitLab 14.0.
 
 When testing an API it can be useful to exclude certain paths. For example, you might exclude testing of an authentication service or an older version of the API. To exclude paths, use the `FUZZAPI_EXCLUDE_PATHS` CI/CD variable . This variable is specified in your `.gitlab-ci.yml` file. To exclude multiple paths, separate entries using the `;` character. In the provided paths you can use a single character wildcard `?` and `*` for a multiple character wildcard.